Friday, March 18, 2011

OAuth 2.0 for MVC, Two Legged Implementation

OAuth 1.0 was one complicated beast. The OAuth 2.0 spec greatly simplified things, but that also had the wonderful side effect of rending all of our old OAuth 1.0 code obsolete. They say that "the only thing a pioneer gets is an arrow in the back," I disagree, I say "the thing that only a pioneer gets to have is an adventure."

For example, I got to help write this wonderful, cutting edge, open source, OAuth 2.0 implementation for MVC!

OAuth 2.0 Overview

OAuth is all about tokens. You start by getting a Request Token from the server, and then using that to secure your login information. When you have successfully logged in you will be given a role/permission specific Access Token, you will then submit this token with all of your future requests. You will also get a Refresh Token with your Access Token. Once your Access Token has expired, you can then submit your Refresh Token to get a new pair of Access and Request Tokens.

Two Legged vs Three Legged

A two legged implementation is rather straight forward, you log into the server you are trying to access. A three legged implementation allows you to gain access to a resource by authentication with a third party server.  For the time being this project only supports two legged authentication.


You must implement four classes to use this library:

  1. OAuthIdentityBase
  2. OAuthPrincipalBase
  3. OAuthProviderBase
  4. OAuthServiceBase

The first three are very small classes, requiring only a few short lines of code. The Service is the work horse where most of your code will go, but even then it only requires the implementation of four methods.

public abstract class OAuthServiceBase : ProviderBase, IOAuthService
    public static IOAuthService Instance { get; set; }
    public abstract OAuthResponse RequestToken();
    public abstract OAuthResponse AccessToken(string requestToken,
        string grantType, string userName, string password, bool persistent);
    public abstract OAuthResponse RefreshToken(string refreshToken);
    public abstract bool UnauthorizeToken(string token);

Then of course you will need to update your Web.config:

    <section name="oauth" type="OAuth2.Mvc.Configuration.OAuthSection, OAuth2.Mvc, Version=, Culture=neutral"/>
  <oauth defaultProvider="DemoProvider" defaultService="DemoService">
      <add name="DemoProvider" type="OAuth2.Demo.OAuth.DemoProvider, OAuth2.Demo" />
      <add name="DemoService" type="OAuth2.Demo.OAuth.DemoService, OAuth2.Demo" />
      <add name="OAuthAuthentication" type="OAuth2.Mvc.Module.OAuthAuthenticationModule, OAuth2.Mvc, Version=, Culture=neutral"/>

Securing Your Pages

That's the easy part, just add the MVC Authorize Attribute to any actions or controllers that you want to secure.

public class HomeController : Controller
    public ActionResult Index()
        return View();
    public ActionResult Secure()
        return View();

The Demo API in Action

  • /oauth/requesttoken
    • Request Params
      • None
    • Result
      • RequestToken = a028f1895cc548af9de744f63d283f6e
      • Expires = 300
      • Success = true
  • /oauth/accesstoken
    • Request Params
      • oauth_token = a028f1895cc548af9de744f63d283f6e
      • username = tom
      • password = c4e5995d4cb8b26970336b956054ac1be9cc50b3
    • Result
      • AccessToken = 3b23ee5f128a45c88e657ecc74c41bbc
      • Expires = 300
      • RefreshToken = 85126a53bca940f1ae7c9d797f63a274
      • Success = true
  • /oauth/refreshtoken
    • Request Params
      • refreshToken = 85126a53bca940f1ae7c9d797f63a274
    • Result
      • AccessToken = 8cfc317af6ed45b2b065a8fa5da3ba81
      • Expires = 300
      • RefreshToken = d0b4a8898d974e939ca83b55cfeabcac
      • Success = true
  • /oauth/unauthorize
    • Request Params
      • oauth_token = 8cfc317af6ed45b2b065a8fa5da3ba81
    • Result
      • Success = true

Additional Resources

Happy authenticating!
~ Tom


  1. Hi Tom

    Is there a dummies guide to implementing oauth 2 in .net mvc 3/4. Iam familiar with stock .net membership, but iam struggling to get my head around oauth setup. Any links would be great. Thanks for the blog.


  2. Chris,

    I prefer to learn through example, so I'd suggest you check out some other implementations of the OAuth stack.

    I have heard good things about DotNetOpenAuth:

    If that does work, here are a few others:


  3. OAuth implementations doesn't working in iis 7/7.5 can you update config sections settings in web.config file.

  4. for iis 7 add to the webServer/modules as well:
    <modules runAllManagedModulesForAllRequests="true">
    <add name="OAuthAuthentication" type="OAuth2.Mvc.Module.OAuthAuthenticationModule, OAuth2.Mvc, Version=, Culture=neutral" />

  5. I implemented this on a Web API. I am trying to consume it externally with another client app. I am managing to connect to it and getting an access token but how will I use the access token to access [Authorize] methods externally? Thanks and great work really found this helpful.


Real Time Web Analytics